When a control is first put in place, it works as intended. People are aware. Leaders are on top of compliance. But after three months goes by, then six months, then a year, and those same controls get overlooked, performed incorrectly, or not performed at all because people have become apathetic to them.
This is how things happen at companies. The question is not if control systems will be called into question with pressure to degrade over time; it’s if the control environment has been established in a way that will sustain effectiveness over time, despite inevitable business changes, employee turnover, and circumstances.
The Structural Foundation Issue
Most controls fail not because a bad control has been put in place but because there is no structural foundation on which controls can withstand organizational change.
Too often, companies implement controls as one-off assessments – if/then scenarios of do this when that happens, a box to check during month end, a report to run quarterly. These stand-alone controls work. But they eventually fail when they’re just actions disconnected from business processes and risk assessments.
Companies that maintain effective controls over the long haul assess them within general frameworks that explain how controls exist together for a larger purpose related to business risk. The more stakeholders understand the coso framework principles, the more they grasp why some control environments remain stable over time while others falter; control environments are systems rather than stand-alone procedures.
When a coherent system exists, people understand not just what to do but also why they need to do it and how their piece contributes to the end goal. This perspective keeps people engaged despite inevitable changes.
The Documentation That Helps
Companies love putting together operating procedure manuals that are so robust no one ever reads them and their contents become outdated the second a process changes. These sorts of documents exist to check off audit requirement boxes, not to serve future action.
Control-related documents should be lean enough for people to read, not output unnecessarily complicated steps to make sense but fail to note why controls exist in the first place. These controls should be works in progress that are updated when conditions change.
If documentation cannot serve as an understanding of what controls exist and why by someone who is new to a department and a review between a manager and their subordinate then it’s not helpful enough to keep controls reliable over time.
Control Ownership
Controls that fail aren’t owned. When someone asks who performs access testing, the answer shouldn’t be the team. If it’s up in the air or team members change, it gets skipped when time is at a premium.
Reliably controlled systems have ownership components. Someone is responsible for executing controls; someone else is responsible for monitoring them; management knows who to ask when they want assurance controls work as designed.
This includes accountability that suppresses control drift. When Sarah knows she has to present access review findings to her manager, she’ll do it. If it’s just a “thing that we do in IT,” it gets overlooked or doesn’t get done right.
The Ongoing Monitoring to Raise Red Flags Early
A poorly monitored control system will degrade over time; without ongoing assessments on expectations and governance, people fail themselves and each other.
Effective controls do not wait until an annual control assessment to discover that someone hasn’t done what they were supposed to do for months; good monitoring occurs from many different levels.
People performing their own controls verify they did things correctly; managers can assess they’re getting done as prescribed; and management notes control metrics and dives into inconsistencies. Small problems before they deteriorate into large ones – that’s what reliability brings.
Moreover, frequency ensures if something’s wrong, the organization learns about it sooner rather than later. Conducting assessments only once per year gives sufficient time for things to develop without any touchpoints in between. Companies that maintain reliability build such touchpoints quarterly/monthly/automatically where applicable. They want to know if something failed so they can fix it ASAP.
The Change Factor
Change happens – in systems, processes, organizational charts – and no matter how many people try to shield controls from being supplanted by change, without proper guidance in assessing how change affects control environments, failure is inevitable.
Companies that have reliable systems find ways to assess how something may affect its control environment before changes are implemented: what’s currently going on in this area and how will this change affect current controls?
Without this interrogation, new processes supplement old processes which dilute effectiveness or compound old processes that are no longer relevant. The company still does what it thinks is best but it’s only hedging its bets now – it’s no longer controlling its risk exposure.
The Training That Stays With You
How often are employees trained on certain controls? Once upon inception or once someone new comes on board? Then awareness is expected without constant reinforcement?
Reliable systems have ongoing training regularly – not because people forget (but they do) but because overstating importance keeps it at the forefront of their minds.
This doesn’t have to be through formal presentations; these can be quick recaps during meetings about why specific controls matter or what people have learned about the importance of reliability after things have gone wrong in the past.
The Culture Component
Here’s something documentation won’t tell you but it makes all the difference: company culture relative to controls. Some organizations view them as bureaucratic annoyances while others see them as valid work and necessary exercises that keep everyone gainfully employed.
When leadership treats these efforts as critical; when management allows for patience surrounding resources even though it’s annoying; when people realize doing these efforts is part of their jobs well done – controls work all day every day.
In cases where leadership exposes controls as optional or getting results is more important than doing the right thing with good process – even if they say differently – people soon learn what’s acceptable and what’s not.
The Technology Balance
When automated devices replace human input of controls, reliability increases. Automated controls don’t get tired, don’t skip steps if they’re too busy – if they’re programmed right they function for what they’re supposed to do all day every day.
But it’s a fallacy to believe that since something was automated it’s automatically more reliable than manual function – a silent failure still occurs when the device breaks down without alert and oversight means someone has to continually approve their function until they’re revamped for business logic change.
Companies with reliable control systems use automation wisely for preventable/repeatable types of circumstances but maintain the human element so new assumptions don’t occur alongside automation.
The Built-In Redundancy
No one control should ever be relied upon entirely and unfortunately this is often the case when failure of a control perspective occurs due to whatever issue out of anyone’s control – employee leaves, system fails, memory retention fades.
Reliable systems have detective components built within them – the first step may prevent unauthorized access but if that’s compromised another option will alert on statistically rare access attempts that become suspicious activity.
Redundancy allows risk to be addressed on different planes from different angles so that conditions and protections remain available even if one aspect isn’t functioning at full capacity at any given time.
The Review Cycle That Actually Improves Things
Annual reviews occur all the time because they’re mandated but few connect these reviews with improving usability over time. Someone rubber stamps things exist – and if there’s an exception that’s worse – moves on.
Companies with reliable controls bring reviews in as means of positive improvement: do these still exist? Are these still relevant? Is there something better?
This mindset fosters continued improvement as long as certain safeguards remain current instead of becoming woven into collected procedures that used to make sense but are now hoisted together into something people wish were never compiled like this in the first place.
The Investment For Maintenance
Finally, nothing matters unless you invest in reliable systems enough to maintain them – implemented costs weren’t the end: ongoing assessment and dollars give deliberate resources on support/control execution/monitoring assessments best sustain reliable effectiveness over time for reasonable arenas where staff time can also be allocated.
Companies that maintain effective systems have the budget available for continued efforts. There are tools necessary for other tasks that support review processes. It’s part and parcel of normal financing support for business processes – not a miracle expected without provide resources.
Companies fail when they try without assessments – they don’t account for reasonable staff time or effort needs so resources get stretched too thin and everything becomes fraudulent until there’s a problem discovered later down the road
Sustained Effectiveness
Control systems remain reliable over time when they’re integrated through coherent structures instead of isolated procedures; ownership is evident; monitoring spots problems before they escalate; investment is made for proper maintenance – that’s not something done once – and these are all ongoing commitments.
The companies that get it right realize that it’s not an initial effective implementation of reliable systems that’s important – it’s a reliable system established through cohesive support that allows every level of acknowledgment the ability to assess effectiveness over time and make any changes necessary should problems inevitably emerge before they’re too late.
Otherwise sustained effectiveness differentiates what’s truly protecting an organization from surface level opportunities that would look good in an audit until something goes wrong.
